Facial recognition technology might be a boon for mobile payment security, but it also represents another weapon for cybercriminals, a cybersecurity expert warns.

A mobile research team inside Intel Security Group’s McAfee Labs recently discovered a strain of Android-based malware that uses a fake but convincing interface to collect a wide range of personal information from unwitting users – ending with a picture of the victim and their ID card.

“That’s right,” Intel Security cybersecurity and privacy director Bruce Snell writes in an Oct. 13 blog post: “Malware is now asking for you to take a selfie.”

Courtesy Dell Security

An example of a Trojan horse, the malware tricks users into installing it – and therefore granting the permissions it needs to execute its malicious goal – by pretending to be a video codec or plugin (right). The malware then runs in the background, waiting for users to open the type of app that would legitimately ask for a credit card number.

After the user opens an appropriate app, the malware displays its own window instead, asking for credit card details and, after validating the number, going on to ask for additional information, starting with the four-digit number on the back and continuing with the user’s age, birthday, mailing address, and even pictures of the front and back of the user’s ID.

Courtesy Dell Security

Finally, with all of that information collected, the malware asks the unwitting victim to take a selfie with their ID in hand (left).

“If you entered in everything you were asked for, the cybercriminals controlling this malware would now have all the information they needed to gain access to your online accounts,” Snell writes. “While it’s not the first time we’ve seen malware that asks for a picture, this is the first time we’ve seen this in mobile malware.”

While this particular strain has only affected users in Singapore and Hong Kong so far, he writes, it’s a good idea for North American users to recognize the threat it represents and prepare accordingly.

Don’t install random plugins

“If you go to a site that is asking you to install a ‘codec’ or ‘video plugin,’ don’t do it – either that site is using an older out of date video format (that could be vulnerable to more malware) or it is trying to get you to install malware,” Snell writes. “Either way, go to another site.”

The majority of the internet has settled on a handful of different formats to use for videos, he writes, and the majority of mobile operating systems have them installed already. If you truly think you’re missing a legitimate plugin, go directly to the site that makes it and install it from there.

Don’t take a picture of your ID

“You should always be skeptical when apps start asking for too much information,” Snell writes. “In general, storing that sort of information on a server (picture of your ID, passport, etc.) is not a good security practice, so even if an app you are using is legitimately asking for a copy of your ID, you may want to reconsider ditching that app for another one with better security practices.”

Install security software

Normally keeping your device up to date offers a good base level of security protection, Snell writes, but since Trojan malware is installed with the user’s permission, having the latest system won’t protect them from this particular strain.

“Cybercriminals are certainly not slowing down their efforts to steal your data, but with good security practices and the right protections in place, you have a fighting chance,” he writes.

Eric Emin Wood is an Associate Editor at IT World Canada. When not writing about the tech industry he enjoys photography, movies, travelling, and the Oxford comma, and will talk your ear off about animation if you give him an opening.